Cryptoucan™ usage: Generating keys

Written by Lída Hrnčířová on May 23, 2019.

In this week’s article we’ll show you how to generate your own set of private on Windows using Thunderbird. You’ll also learn what is revocation certificate for and how to get one. We’ve created another instructional video that will guide you through the whole process, you can find it at the end of this post as usual.

To be able to sign, encrypt or decrypt e-mails, you have to generate your keys[1] first. You’re going to get three types of keys: signature key, authentication key and decryption key. All of them are pairs of private and public keys. Public key, as you can guess by its name, is for others to use to send you encrypted e-mails and to verify your signature. Private key is known only to you and you’ll be using it to sign your e-mails and to decrypt messages sent to you.

Keep reading to find out how to generate your keys or watch the instructional video here.

Generating keys

You’ll get to the key generator the same way as you did in the personalization process.
Open Thunderbird -> Click menu button at the top right corner of the window -> Choose Key management option in the Enigmail sub-menu -> Choose File option in the Enigmail Key Management window and continue with Manage Smartcard option.

In the newly opened window, click at SmartCard option at the top bar and choose Generate key option. Now you finally got to the key generator.

Picture 1: Generate OpenPGP Key window

Here you have to choose the user identity for newly generated keys.
In the next step you’ll have to uncheck Save backup of key outside the card option as the Cryptoucan won’t let you do it. This is a security feature.
The last thing you’re going to set is the key expiration period. You can check Key does not expire if that’s what you want.
When you click Generate key and then confirm it by clicking the same button in the following window, the process will begin.

During the process, you’ll be asked to enter your PIN codes (both user PIN 1 and administrative PIN 3) several times. Enter them using Cryptoucan’s keypad, don’t forget to confirm them by pressing hexagon symbol in the bottom right corner of the keypad.

Picture 2: entering PIN

Revocation Certificate

Revocation certificate is a special type of a public key signature[2]. There are three common situations which will make you appreciate having revocation certificate:

    1. Your private key is no longer private – anyone who knows your private key and has access to the emails can read them.
    2. You’ve blocked your Cryptoucan irreversibly by entering incorrect admin PIN 3 too many times.
    3. You’ve generated new keys.

Once one of those situations happens, you can upload this certificate to key servers[3], basically saying: “I’m the owner of this key and I’m saying that the key is no longer to be valid” this way.
We strongly recommend you getting the certificate as it only takes a minute to get and it can save you a lot of trouble.
You’ll be asked whether you want to get the certificate right after you generate your keys. Click Generate Certificate, choose where do you want to save it, click Save and then enter your PIN on Cryptoucan’s keypad one last time as the certificate itself needs to be signed.

At the end of this process, reconnect the USB cable to make sure your information is safely locked inside.

Feel free to watch the instructional video in case you got lose on the way to getting your own set of keys.

Video 1: Cryptoucan™ usage: Generating keys

Thank you very much for reading, we will see you next week – same time, same place!


1. More info: Key management – introduction
2. More info: RFC 4880, Section 5.2.1
3. More info: Key server